Meraki

Community

Translating classic ACLs to site-to-site VPN firewall rules

iores
Here to help
5 hours ago
5 hours ago

Translating classic ACLs to site-to-site VPN firewall rules

Hi,

 

I need to translate hundreds of individual ACLs to one "big ACL" comprised of site-to-site VPN firewall rules.

 

Since the site-to-site VPN firewall rules are applied to the whole organization, it is not just copy-and-paste.

 

What are you experiences or suggestions to effectively perform this?

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

You can use APIs.

 

https://developer.cisco.com/meraki/api-v1/update-organization-appliance-vpn-vpn-firewall-rules/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
iores
Here to help
an hour ago
an hour ago

I was aiming more at how to create one big central ACL from hundreds of single ACLs, without the need to analyze every ACL entry. For example, if one ACL entry at location X, uses summarized prefix (10.0.0.0/8) to denote source IPs at that specific location, if I just copy this as site-to-site VPN firewall rule I could influence traffic from all locations, not just X, and I don't want to do that. 

0 Kudos
In response to iores
alemabrahao
Kind of a big deal
Kind of a big deal
an hour ago
an hour ago

I believe there's no magic/easy solution.

 

You have to analyze each ACL you create to know which sources, destinations, and ports to allow or deny.

 

How can you do this without even knowing the current configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to iores
ww
Kind of a big deal
Kind of a big deal
29m ago
29m ago

Maybe you could use group policies and attach it to a vlan. Group policy fw rules are stateless like acl's.

PhilipDAth
Kind of a big deal
Kind of a big deal
34m ago
34m ago

It's a horrible job.

 

What I have done previously is to use the "Rule description" field to tag where the rule was migrated from.  For example:

fwcorp-inside-to-brancha-cameras

 

You can also search on these, which reduces the huge monolith of rules down to just the narrow set you are interested in.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.